Tuesday, July 16, 2024
EHA

Plurox Modular Malware Spreads Over Local Network and Provide Access to Attackers for Installing Additional Malware

A new malware dubbed Plurox spread itself over the local network using EternalBlue exploit and let attackers gain access to the network to install miners and other malware on the victim’s machine.

The malware is modular, which means; attackers can expand its functionality by adding additional plugins, as required.

Kaspersky researchers discovered the malware in February, it was written in C and compiled with Mingw GCC. Communication with C&C server established through TCP protocol and the plugins are loaded with interfaced via two different ports that are defined with Plurox, and the C&C address is hardcoded.

Plurox Malware Plugins

The C&C server instructs the malware to extract the information from the infected machine, and the commands are encrypted using XOR. Plurox supports for the following seven commands.

  • Download and run files using WinAPI CreateProcess
  • Update bot
  • Delete and stop (delete own service, remove from autoload, delete files, remove artifacts from registry)
  • Download and run plugin
  • Stop plugin
  • Update plugin (stop the process and delete the file of the old version, load and start a new one)
  • Stop and delete the plugin

The malware install’s crypto mine’s based on the system configuration, it sends the system configuration details to the C&C server, and it gets information on which plugin needs to be installed.

“The UPnP plugin modules receives from the C&C a subnet with mask /24, retrieves all IP addresses from it, and attempts to forward ports 135 (MS-RPC) and 445 (SMB) for the currently selected IP address on the router using the UPnP protocol. If successful, it reports the result to the C&C center, waits for 300 seconds (5 minutes), and then deletes the forwarded ports. Researchers believe that this plugin can be used to attack a local network.”

Next one is the SMB plugin responsible for spreading malware over the network using the EternalBlue exploit. Based on the analysis, researchers believe the creators of Plurox and Trickster may be linked.

IoC

C&C servers

178.21[.]11.90
185.146[.]157.143
37.140[.]199.65
194.58[.]92.63
obuhov2k[.]beget[.]tech
webdynamicname[.]com
37.46[.]131.250
188.93[.]210.42

MD5

Main body
59523DD8F5CE128B68EA44ED2EDD5FCA
C4A74D79030336A0C3CF60DE2CFAE9E9
CECFD6BCFDD56B5CC1C129740EA2C524
BE591AA0E48E496B781004D0E833E261
Trickster Worm module
f233dd609821c896a4cb342cf0afe7b2
auto_proc32
2e55ae88c67b1d871049af022cc22aac
auto_proc64
b2d76d715a81862db84f216112fb6930
auto_opencl_amd32
a24fd434ffc7d3157272189753118fbf
auto_opencl_amd64
117f978f07a658bce0b5751617e9d465
auto_miner32
768857d6792ee7be1e1c5b60636501e5
auto_miner64
e8aed94c43c8c6f8218e0f2e9b57f083
upnp32
8cf5c72217c1bb48902da2c83c9ccd4e
upnp64
b2824d2007c5a1077856ae6d8192f523
smb32
6915dd5186c65891503f90e91d8716c6
smb64
cd68adc0fbd78117521b7995570333b2

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Malicious Apps from Google PlayStore Bypassing SMS-Based Two-Factor Authentication and Steal OTPs in SMS

New Android Malware that Uses Chrome to Load Malicious websites through Notifications

FIN8 Hacker Group using Highly Sophisticated ShellTea Malware to Attack Hospitality Sector

Website

Latest articles

Critical Cellopoint Secure Email Gateway Flaw Let Attackers Execute Arbitrary Code

A critical vulnerability has been discovered in the Cellopoint Secure Email Gateway, identified as...

Singapore Banks to Phase out OTPs for Bank Account Logins Within 3 Months

The Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS)...

GuardZoo Android Malware Attacking military personnel via WhatsApp To Steal Sensitive Data

A Houthi-aligned group has been deploying Android surveillanceware called GuardZoo since October 2019 to...

ViperSoftX Weaponizing AutoIt & CLR For Stealthy PowerShell Execution

ViperSoftX is an advanced malware that has become more complicated since its recognition in...

Malicious NuGet Campaign Tricking Developers To Inject Malicious Code

Hackers often target NuGet as it's a popular package manager for .NET, which developers...

Akira Ransomware Attacking Airline Industry With Legitimate Tools

Airlines often become the target of hackers as they contain sensitive personal and financial...

DarkGate Malware Exploiting Excel Files And SMB File Shares

DarkGate, a Malware-as-a-Service (MaaS) platform, experienced a surge in activity since September 2023, employing...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles